Computer Security
[EN] no-pyccku

Related information

  Buffer overflow in mshtml.dll

  Details and exploitation of buffer overflow in mshtml.dll (and few  sidenotes on Unicode overflows in general)

  Buffer Overflow in Microsoft Internet Explorer

  Advisory CA-2002-04 Buffer Overflow in Microsoft Internet Explorer

  Microsoft Security Bulletin MS02-005

From:3APA3A <3APA3A_(at)>
Subject:dH & SECURITY.NNOV: buffer overflow in mshtml.dll

Topic:                    buffer overflow in mshtml.dll
Authors:                  ERRor and DarkZorro of domain Hell
                         3APA3A of SECURITY.NNOV
Date:                     February, 13 2002
Vendor Informed:          December, 20 2001
Software affected:        Microsoft Internet Explorer 6.0 and prior
                         Microsoft Outlook Express 6.0 and prior*
                         Microsoft Outlook 2000 and prior*
Remote:                   Yes
Exploitable:              Yes
Risk:                     High
SECURITY.NNOV advisories:
Thanks to:                Microsoft Security Response Center
                         and CERT for working with us
                         Andrey  Kolishak  for  helpful additional
                         information on this issue


mshtml.dll  contains  buffer  overflow  while parsing HTML with embedded
ActiveX  components.  Stack  overrun  occurs during concatenation of two
Unicode  strings. It's possible to exploit this vulnerability to execute
any code of attacker's choice (we do have proof-of-concept code, it will
be  published  later  with  details of vulnerability). This overflow can
only  be exploited if "Run ActiveX Controls and Plugins" security option
is  enabled.  *This  option  is disabled by default for Restricted Sites
Zone  Outlook  2000,  Outlook Express 6.0 and prior with security update
installed  open all mail, but enabled by default in all different cases.
This bug doesn't depend on Windows version.


Make  sue  "Run  ActiveX  Controls  and  Plugins" option is disabled for
Internet  and  Restricted  Sites  zones  in security options of Internet
Explorer.  Check  security zone for Outlook Express is set to Restricted

Vendor and Solution:

Microsoft  was  notified  on  December,  20  2001.  On February, 11 2002
Microsoft  released  advisory  MS02-005 and cumulative patch q316059 for
Microsoft Internet Explorer

       { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
You know my name - look up my number (The Beatles)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod